Art.21.1 NIS2

NIS2 Art.21.1: Cybersecurity Risk Management Framework

What This Control Requires

Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services.

In Plain Language

Everything else in NIS2 compliance builds on this foundation. Without a structured, documented risk management framework, your security measures are just a collection of ad-hoc decisions with no coherent strategy behind them. Article 21.1 requires you to establish a programme that systematically identifies, analyses, evaluates, and treats cybersecurity risks - proportionate to your size and the criticality of your services.

The scope is broad. Your framework must cover all network and information systems used in operations and service delivery - not just core IT infrastructure, but also OT environments, cloud services, third-party integrations, and digital supply chain dependencies. Management must formally approve the framework and review it at defined intervals.

The "appropriate and proportionate" language is important. A 50-person company is not expected to match a multinational's security budget. But you still need to show a deliberate, risk-based approach to cybersecurity governance. The key is demonstrating that your measures are suitable for the risks you face and reasonable given your resources.

How to Implement

Start with a comprehensive asset inventory covering all network and information systems used for operations and service delivery. Include hardware, software, cloud services, data flows, and third-party integrations. You cannot manage risks to assets you do not know about.

Adopt a recognised risk management methodology - ISO 27005, NIST SP 800-30, or OCTAVE all work well. Define your risk appetite and acceptance criteria with senior management input. Document how you identify, score, and prioritise threats, vulnerabilities, and impacts.

Run your initial risk assessment across all identified assets and processes. For each risk, decide whether to mitigate, transfer, accept, or avoid it. Document the rationale behind each decision and assign named risk owners who are accountable for monitoring their risks.

Maintain a living risk register. Set review cycles - annually at minimum, and whenever significant changes occur to the threat landscape, organisational structure, or technology stack. The risk register should directly inform security planning and budget allocation, not sit in a drawer.

Connect risk management to your governance structure. Use risk outputs to inform board-level reporting, investment decisions, and operational priorities. Train relevant staff on the methodology and make sure they understand their roles within it.

Define metrics to track programme effectiveness over time. Track the ratio of risks identified versus treated, mean time to remediate high-severity risks, and the percentage of assets covered by the risk assessment.

Evidence Your Auditor Will Request

Documented cybersecurity risk management policy approved by management
Risk assessment methodology documentation
Current risk register with identified risks, owners, and treatment plans
Board or management body meeting minutes showing risk management oversight
Evidence of periodic risk assessment reviews and updates

Common Mistakes

Risk assessments performed as one-off exercises rather than maintained continuously
Incomplete asset inventories that miss shadow IT, cloud services, or OT systems
Risk register exists on paper but is not used to drive operational security decisions
No clear risk ownership or accountability assigned to specific individuals
Failure to calibrate risk measures proportionately to the organisation's size and criticality

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.1	Related
ISO 27001	A.6.1	Related
SOC 2	CC3.1	Related

Frequently Asked Questions

What does 'proportionate' mean in the context of NIS2 risk management?

It means your measures should be reasonable given your organisation's size, the likelihood and severity of potential incidents, the criticality of the services you provide, and current best practices. A small essential entity does not need the same security budget as a large enterprise, but it still needs a structured, risk-based approach. Proportionality is about demonstrating thoughtful decision-making, not spending the least possible.

Do we need to use a specific risk management standard?

NIS2 does not mandate a particular standard, but picking a recognised framework like ISO 27005 or the NIST RMF is strongly recommended. It shows rigour, gives you a repeatable process, and makes compliance audits significantly smoother than defending a homegrown approach.

Track NIS2 compliance in one place

AuditFront helps you manage every NIS2 control, collect evidence, and stay audit-ready.

Start Free Assessment